Students, either because of their naivety or just plain carelessness, are ideal candidates to have their identities stolen. They may loan their campus card to another student to use in the dining hall or just leave their card and other personal possessions unattended while they participate in a basketball game.

New rules set to take effect at the end of this year are designed to protect students from their own negligence while providing more paperwork for colleges. These “red flag rules,” designed to protect bank customers–and students–against ID theft, have caught many schools by surprise.

Ramonia Prosise, manager of university telecom services and the 1Card at Virginia State University, Petersburg, Va. gave college administrators a heads up on red flag during this year’s National Association of Campus Card Users conference in Phoenix in April.

The rules have caused concern for some campuses while others may not even realize they exist. Prosise had been working on a white paper for NACCU about it and the presentation at the conference dovetailed with it. “A lot of schools were taken by surprise,” she says.

The rule was developed under the Fair and Accurate Credit Transactions Act (FACTA), where Congress directed the Federal Trade Commission and other agencies to develop regulations requiring creditors and financial institutions to address the risk of identity theft.

The resulting rules require organizations that provide covered financial accounts to develop and implement written identity theft prevention programs to help detect patterns or activities–known as “red flags”–that could indicate identity theft. The rule became effective Jan. 1, 2008, with compliance originally required by that November. But a series of extensions have pushed the deadline back to Dec. 31, 2010.

FACTA defines a financial institution as any organization that offers accounts enabling consumers to write checks or make payments to third parties through other means.

Under this definition, universities that hold student funds in an account and give students a card to make purchases at off-campus locations are considered financial institutions. If the school provides government benefits or administers flexible spending accounts and gives students a debit card to access the funds they would also be considered a financial institution.

Schools that offer tuition payments plans or that bill for tuition after students attend class could also be included depending on how the specific program is structured. Schools that require payment up front or that offer pay as you go plans that would bar students from class if they don’t pay are not considered creditors and thus would not be impacted.

What to do?

There are a number of things schools can do to comply with the rules. “It starts at the top, through a university governing body that can appoint a board committee made up of vice presidents, internal auditors, etc.,” says Prosise. That’s how Virginia State handled it.

That governing body started by reviewing anything that might deal with ID information for the school’s customers and students, she says. VSU then took the FTC information and adopted it to our own language and standards,” she adds.

Virginia State hasn’t had any major ID theft issues, says Prosise, “But there’s been some minor instances, like students taking other students’ ID cards and trying to pass it off in the cafeteria,” she says. “You’re spending someone else’s money, which is just as bad as taking someone’s ID.”

The most common offense students are guilty of is passing around student IDs, says Prosise. It’s their way of lending money to one another. Students need to be told not do this because the cards that are attached to other financial accounts can be at risk.

PINs currently aren’t required at Virginia State but each card, supplied by Heartland Campus Solutions, does have the student’s photo. In order to prevent student’s from using one another’s IDs a clerk would have to match the photo to the one on the ID, which doesn’t always happen. In one instance, a student stole $300 from another student because no one bothered to check the photos. The card is a basic ID with a mag stripe with a proximity chip for physical access control, says Prosise. To comply with the red flag rules Virginia State is going to add a PIN for transactions. The new system should be rolled out by the end of the year.

Penalties

Colleges that don’t comply with red flag can be fined civil penalties and injunctive relief for violations. The law sets $3,500 as the maximum civil penalty per violation. The FTC, however, has no formalized plan in place to assure compliance. But if complaints are leveled against an institution, the agency could insist on seeing the organization’s red flag rule processes.

The FTC also doesn’t tell institutions specifically what red flag programs must look like. This has caused some consternation. “A lot of people don’t know where to start,” Prosise says

There are four basic steps to designing a program to comply with the red flag rule. An institution should know how to identify and detect red flags, prevent or mitigate ID theft and have a system in place that will update the program periodically.

Relevant red flags can include:

Alerts, notifications, or warnings from a consumer reporting agency;

Suspicious documents;

Suspicious personally identifying information;

Suspicious activity relating to a covered account; or

Notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.

Prosise provides some examples of what makes a document suspicious:

Documents provided for ID purposes that appear to have been altered or forged.

The photograph or physical description on the ID is not consistent with the applicant’s appearance.

Other information on the ID is not consistent with information provided by the person opening a new account or with information that is on file with the university, such as a signature card.

An application appears to have been altered.

To determine that personal information from an applicant is bogus, universities need to look for inconsistencies in the information provided by the students, says Prosise. If a red flag crops up a university’s response could include monitoring the account or contacting the cardholder when it’s spotted.

“Sometimes you may determine that no response is necessary. In other cases, certain events such as a recent data breach, a phishing fraud that targeted your institution, or another suspicious activity may raise the risk of identity theft and require specific preventive actions,” says Prosise.

One key step in ID theft prevention is to educate students on how easy it is for their ID to be stolen. VSU presents a skit at the beginning of each semester to illustrate this, says Prosise. “We try to tell them what not to do. Don’t leave your things unattended. Protect yourself. Don’t even trust your roommate,” Prosise warns. “We have a zero tolerance for theft.”

While a student’s picture is usually required when he enrolls, that’s not good enough for the day the student steps on campus. “On that day I want that student’s picture taken, I don’t want one from high school,” says Prosise.

She says the policies the university is developing will be turned over to the FTC by the governing board.

VSU is currently meeting all the red flag requirements but since the red flag rules were written primarily to include banks and other financial institutions, she intends to meet with the bank affiliated with the school to see if anything else is needed, she adds.

While banks are intent on complying with red flag, those contacted by CR80News did not want to be interviewed on the subject. “It’s a sensitive area,” says a spokesperson for one bank.

Want more on red flags?

The National Association of College and University Business Officers has a Web site devoted to red flag compliance, including sample documents from several universities.